Method and System for Dynamic Network Intrusion Monitoring, Detection and Response

Abstract

A probe attached to a customer's network collects status data and other audit information from monitored components of the network, looking for footprints or evidence of unauthorized intrusions or attacks. The probe filters and analyzes the collected data to identify potentially security-related events happening on the network. Identified events are transmitted to a human analyst for problem resolution. The analyst has access to a variety of databases (including security intelligence databases containing information about known vulnerabilities of particular network products and characteristics of various hacker tools, and problem resolution databases containing information relevant to possible approaches or solutions) to aid in problem resolution. The analyst may follow a predetermined escalation procedure in the event he or she is unable to resolve the problem without assistance from others. Various customer personnel can be alerted in a variety of ways depending on the nature of the problem and the status of its resolution. Feedback from problem resolution efforts can be used to update the knowledge base available to analysts for future attacks and to update the filtering and analysis capabilities of the probe and other systems.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This application is a continuation application of and claims priority from U.S. Non-Provisional patent application Ser. No. 09 / 766,343 filed Jan. 19, 2001 (Attorney Docket No. 022133-000510US) which claims priority from and is a non-provisional of U.S. Provisional Patent Application No. 60 / 190,326, filed Mar. 16, 2000 (Attorney Docket No. 022133-000500US), the entire disclosures of these applications are incorporated herein by reference for all purposes.FIELD OF THE INVENTION [0002] This invention relates generally to network security and, more specifically, to methods and systems for dynamic network intrusion monitoring, detection and response. BACKGROUND OF THE INVENTION [0003] Most computer and network security products focus on prevention. Firewalls prevent unauthorized traffic from entering a company's internal network; authentication mechanisms prevent unauthorized persons from logging on to a company's computers; and encryption p...

AI Technical Summary

Benefits of technology

[0007] The MSM service is not intended to replace but to supplement, and thereby render more effective, a customer's existing preventive security products. Such products, which can include firewalls, servers, routers, intrusion detection systems, and other security products, can generate millions of lines of audit information each day. Buried in all that information may be the footprints of ongoing network attacks or intrusions. The MSM service can help filter and analyze all of that audit information in effectively real time to detect such attacks or intrusions.

[0008] Once a possible attack or intrusion (referred to more generally as an “incident” or “event”) is detected, its characteristics and particulars may then be examined and analyzed by trained security analysts continuously monitoring the customer's network to further understand the incident and eliminate false positives. In analyzing the incident, security analysts can draw upon information and knowledge contained in a variety of databases, including but not limited to security intelligence databases containing information about the characteristics of various hacker techniques and tools and known vulnerabilities in various operating systems and commercial software products and hardware devices. If necessary, security analysts can escalate the handling of the incident according to a variety of predetermined escalation procedures to stop the attack and shut down the vulnerability before the attacker does any damage. In effect, the MSM service acts as a defensive shield for a customer's network.

[0009] In an exemplary embodiment, the MSM service may allow for customization and complex data analysis. For example, the service may be customized, either dynamically or off-line, to accommodate network-specific needs and to reflect feedback received about the demonstrated efficacy of a real world response to an actual event. Furthermore, data filtering and analysis can include cross-product analysis, which allows the probe / sentry system to correlate and recognize such multiple sensor readings as reflecting the same happening. Such features ensure that the invention is capable of the rapid refinement necessary to combat network attacks.

[0014] D. Probe / Sentry System: The invention generally incorporates one or more probe / sentry systems that may collect data from a variety of software products and hardware to which they are attached. Such systems are preferably located within the customer's firewall and may collect such data from essentially any product or device that can be configured to provide data to a remote device. Once the probe / sentry system collects the data, it then filters or otherwise analyzes such data and then transmits noteworthy information, preferably via a secure connection, in the form of “sentry messages” to a gateway system (described below in section E) at a SOC. Preferably, the system can perform preliminary analysis of the resulting data, either by simple filtering, cross-correlation, cross-analysis, or other means to reduce the immense volume of raw data into core information worthy of further analysis.

Problems solved by technology

But because such products cannot be relied upon to work perfectly, and because security bugs may exist in other software or hardware, complete network security also requires monitoring, detection and response in the event of a breach.

System administrators normally do not have the time or ability to read through large amounts of constantly updated audit information, looking for attacks on their systems.

They also do not have the time to continuously monitor hacker activities, looking out for new tactics, tools and trends.

Finally, they do not have the time to become experts on every kind of intrusion and to maintain that expertise.

Images